Love is blind. How about trust?

As of June 1, 2020, Tokopedia amass 4.8 average ratings on the iOS app store

In March 2020, a hacker claimed to have successfully collected a staggering 91 million user data from Indonesia’s e-commerce giant, Tokopedia. The previous year, its competitor, Bukalapak, experienced a similar affair. However, in both cases, users’ trust seems unaffected. The reason can be because the users are unaware of those misconducts or the potential harm of the breach. I bring forward the ethical issue of companies’ tendency to exploit users’ trust. Are we trusting them too blindly?

Following the news, Tokopedia stated that customers are safe and urged them to update their passwords. That can be true if usernames and passwords are the only data the hackers got their hands on. However, the hacker showed that the data also contain personal information such as full name, e-mail address, phone number, and birth date. At the very least, that data can be sold to spammers who will be happy to bombard unaware users with scam attempts. To put numbers on this, at least 8 buyers have each agreed to pay $5,000 for the data.

Trust plays a key role for an e-commerce site like Tokopedia [1]. Their CEO even mentioned that Tokopedia is a business of trust. We are willing to share our personal data in exchange for access to their services. Among others, we trust them to store our data securely. Of course, there is no such thing as a 100% secure system. In fact, that is exactly why we need trust; as a strategy to deal with uncertainty.

The left screen shows Tokopedia app asking for user’s preferences, such as favorite topics (Topik Favorit) and Subscription data (Langganan, e.g. electricity and phone bill). On the right side, users are encouraged to verify their accounts by uploading personal data such as Citizen Card (KTP) and a selfie.

Paradoxically, educating the users regarding the value of personal data does not align with the interest of data-driven companies. After all, those companies want to gather as much data as possible. It is tempting to keep users in the dark and rely on blind trust. Therefore, we should ask ourselves if we have been trusting them too blindly. Consequently, have they been exploiting our trust?

In the following paragraphs, I analyze the impact of the breach on trust using the 4Cs model [2]. As the name suggests, it dissects the matter into four layers: context, construction, curation, and codification. Technology makes it possible for companies to reduce perceived risk under a beautiful interface (see how cute the image is in their page asking for Citizen ID above?). The separation highlights that we should look beyond what is visible.

Illustrations of the 4Cs model. Construction, curation, and codification are the potential blind spots. (user icon: source)

Context

How do users experience the breach in the platform?

From my observation, nothing changes before and after the breach. Users do not get any prompt to change their passwords in the application itself, nor any e-mails. However, as a Firefox user, I got an alert the moment I entered Tokopedia website. Users who have not heard of the news and are not using Firefox may be clueless about the breach. The lack of response makes me wonder: are they trying to conceal it?

The prompt from Firefox when I access Tokopedia website

Clarification regarding the impact is key. Tokopedia should inform the users, within their platform, on what happened and which actions should be taken.

Construction

How much we know about the system design?

In this case, we are focusing on the security of personal data. This page describes how Tokopedia uses Alibaba Cloud to host their services. It also explains how they secure the networks and which the database they are using. To claim that our data is safe barring the breach, we need more information regarding the security design.

What is the root cause of the breach? Are there any additional data at risk? What architectural changes are they making after the breach?

Curation

Who has control of the platform?

After learning that Tokopedia hosts their applications in Alibaba Cloud, who happens to be one of the lead investors of Tokopedia, a question arises on how much control does Alibaba have. Besides, Tokopedia also has a partnership with OVO, a financial technology company, to serve as their payment platform.

We cannot just trust Alibaba and OVO to follow the terms that we have agreed with Tokopedia because we do not know what kind of data sharing exists between them.

Codification

Which rules have been violated?

Ironically, Indonesia’s Data Protection Law is still under review — it has been since 2015 — with no end in sight [3]. The current applicable regulation is “Privacy Protection in the Electronic System” by the Minister of Communication and Informatics. Users have to trust the ministry to monitor that users’ privacy is respected and secured accordingly. Looking at how this is the second case in two years, the relationship between the users and the government will be affected as well.

As this breach hurts both parties, Tokopedia should work together with the government to retrospect and prevent the same mistake happening again and again. Throughout the process, they need to keep the users in the loop.

In this post, I consider the tendency of tech businesses to exploit blind trust in favour of collecting as much data as possible. Trust is only ethical if it matches what is at stake. By analyzing the 4C layers, I discuss how minimal our knowledge is regarding the platform. Now that a breach has happened, we have to readjust our trust. Do not wait until the next Cambridge Analytica to happen. Now is the time.

Notes

[1] See Lankton & McKnight (2011).

[2] For an example of in-depth analysis with the 4Cs model, see Keymolen & Van der Hof (2019)

[3] More on the draft of privacy law and the relevance to the unicorns, including Tokopedia and Bukalapak, see my previous post (In Indonesian). Bear in mind that the privacy policies can be updated and may no longer be relevant.